Even Top Password Managers Are Vulnerable, But Don’t Stop Using Them

Password managers are one of the best ways to keep your account details secure. However, if a recent report is to be believed, then these tools have security flaws we didn’t even know existed.

What’s the issue with password managers?

According to recent research conducted by the ethical hacking group Independent Security Evaluators (ISE), five popular password management services have serious security flaws. ISE approached a Washington Post columnist with its findings. The group told him that even the top password managers are vulnerable and can be targeted with “malware attacks.”

Specifically, the report says Windows 10 apps like KeePass, LastPass, 1Password, Dashlane and RoboForm often leave passwords in a computer’s memory even while the apps are locked. This could enable a hacker who already has access to the PC, to gain access to the passwords as well. In addition, the researchers found that 1Password, LastPass and Roboform may even expose the master passwords.

“The ‘lock’ button on password managers is broken — some more severely than others,” lead researcher Adrian Bednarek said.

In their report, the researchers said they had expected password managers to use “basic security best practices” like cleaning the computer’s memory after a user logs out of the password manager and keeping the details secret from the PC’s memory when the app is not in use. However, the researchers found that in all the password managers they examined, it was possible to get some secrets out, including the master password.

The researchers also found that the password managers they examined do attempt “to scrub and [sanitize] memory,” but they fail to properly implement the necessary security measures.

The researchers said their analysts used a “proprietary, reverse engineering, tool” to analyze how good password managers are at handling users’ secrets. Researchers say such a vulnerability “exposes up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.”

Vulnerabilities or trade-offs

The researchers also talked about each app they examined individually. For example, they found that 1Password decrypts individual passwords and then stores them in the PC’s memory. However, the researchers also found that login credentials like the master password remain in the memory. Thus, to avoid this, users must exit the app entirely.

Dashlane users say it exposed their credentials individually based on the password that a user is accessing. However, Dashlane exposes all the credentials in one go if a user is updating a password. A similar vulnerability was found in LastPass as well.

The makers of these popular password management services admit to the vulnerabilities highlighted by ISE, but they believe the flaws don’t present a real threat.

“No password manager (or anything else) can promise to run securely on a compromised computer,” Jeffrey Goldberg of 1Password told PCMag in an email.

1Password and KeePass also told PCMag that the issues raised by ISE are not new and are seen as a trade-off.

Don’t stop using password managers

Despite the security flaws, the researchers conclude that it is still better to use password management apps rather than not using them at all. Researchers say using such apps is a good thing, especially those made by reputable companies like the ones included in the study. The experts note that such tools add “value to the security posture of secrets management” and also address bad password practices among the users. Bad password practices include choosing a weak password, repeating the same password and more.

However, the researchers have asked the industry to plug such loopholes and come up with better products. Researchers say if such vulnerabilities are not fixed, they will be “the low-hanging fruit, that provides the path of least resistance, to successful compromise of a password manager running on a user’s workstation.”

Until makers of these apps strengthen the security of their products, ISE recommends that users not leave a password manager app running in the background, even in a locked state. Those who are using one of the affected password managers are advised to “terminate the process completely.”

One thing we must not forget is that despite the vulnerabilities in password managers, hackers will first need access to your PC or laptop before they could even try to get into the password manager app. Thus, to prevent this, it is important to use good antivirus software.

Author: Aman JainAman is MBA (Finance) with an experience on both Marketing and Finance side. He has worked as a Risk Analyst for AIR Worldwide, and is currently leading VeRa FinServ, a Financial Research firm. Favorite pastimes include watching science fiction movies, reviewing tech gadgets, playing PC games and cricket. - Email him at amanjain@valuewalk.com